docs: project docs, scripts, deployment configs, and evidence

docs/evidence/ops/2026-03-27/backup-restore/20260327-182059/BACKUP_RESTORE_DRILL.md

@@ -0,0 +1,39 @@
+# Backup Restore Drill
+
+- Generated at: 2026-03-27 18:21:07 +08:00
+- Source DB: D:\project\data\user_management.db
+- Backup DB: D:\project\docs\evidence\ops\2026-03-27\backup-restore\20260327-182059\user_management.backup.db
+- Restored DB: D:\project\docs\evidence\ops\2026-03-27\backup-restore\20260327-182059\user_management.restored.db
+- Probe port: 18080
+
+## Hash Validation
+
+- source sha256: 546D353065A10AA7B2B429A8ED6CBE03830D528567FB769A242A0854256F4857
+- backup sha256: 546D353065A10AA7B2B429A8ED6CBE03830D528567FB769A242A0854256F4857
+- restored sha256: 546D353065A10AA7B2B429A8ED6CBE03830D528567FB769A242A0854256F4857
+
+## Snapshot Comparison
+
+- source tables: {"devices":0,"login_logs":18,"operation_logs":50,"password_histories":0,"permissions":17,"role_permissions":20,"roles":2,"user_roles":1,"users":1,"webhook_deliveries":0,"webhooks":0}
+- restored tables: {"devices":0,"login_logs":18,"operation_logs":50,"password_histories":0,"permissions":17,"role_permissions":20,"roles":2,"user_roles":1,"users":1,"webhook_deliveries":0,"webhooks":0}
+- source existing tables: devices, login_logs, operation_logs, password_histories, permissions, role_permissions, roles, sqlite_sequence, user_roles, user_social_accounts, users, webhook_deliveries, webhooks
+- restored existing tables: devices, login_logs, operation_logs, password_histories, permissions, role_permissions, roles, sqlite_sequence, user_roles, user_social_accounts, users, webhook_deliveries, webhooks
+- source missing tables: social_accounts
+- restored missing tables: social_accounts
+- sample users: e2e_admin
+
+## Restore Service Verification
+
+- GET /health: pass
+- GET /health/ready: pass
+- GET /api/v1/auth/capabilities: pass
+- auth capabilities payload: {"password":true,"email_activation":false,"email_code":false,"sms_code":false,"password_reset":false,"admin_bootstrap_required":false,"oauth_providers":[]}
+
+## Evidence Files
+
+- source-snapshot.json
+- restored-snapshot.json
+- server.stdout.log
+- server.stderr.log
+- config.restore.yaml
+

docs/evidence/ops/2026-03-27/backup-restore/20260327-182059/config.restore.yaml

@@ -0,0 +1,215 @@
+server:
+  port: 18080
+  mode: release  # debug, release
+  read_timeout: 30s
+  read_header_timeout: 10s
+  write_timeout: 30s
+  idle_timeout: 60s
+  shutdown_timeout: 15s
+  max_header_bytes: 1048576
+
+database:
+  type: sqlite  # current runtime support: sqlite
+  sqlite:
+    path: "D:/project/docs/evidence/ops/2026-03-27/backup-restore/20260327-182059/user_management.restored.db"
+  postgresql:
+    host: localhost
+    port: 5432
+    database: user_management
+    username: postgres
+    password: ""
+    ssl_mode: disable
+    max_open_conns: 100
+    max_idle_conns: 10
+  mysql:
+    host: localhost
+    port: 3306
+    database: user_management
+    username: root
+    password: ""
+    charset: utf8mb4
+    max_open_conns: 100
+    max_idle_conns: 10
+
+cache:
+  l1:
+    enabled: true
+    max_size: 10000
+    ttl: 5m
+  l2:
+    enabled: false
+    type: redis
+    redis:
+      addr: localhost:6379
+      password: ""
+      db: 0
+      pool_size: 50
+      ttl: 30m
+
+redis:
+  enabled: false
+  addr: localhost:6379
+  password: ""
+  db: 0
+
+jwt:
+  algorithm: RS256
+  secret: ""
+  private_key_path: "./data/jwt/private.pem"
+  public_key_path: "./data/jwt/public.pem"
+  private_key_pem: ""
+  public_key_pem: ""
+  access_token_expire: 2h
+  refresh_token_expire: 168h  # 7澶?= 168灏忔椂
+
+security:
+  password_min_length: 8
+  password_require_special: true
+  password_require_number: true
+  login_max_attempts: 5
+  login_lock_duration: 30m
+
+ratelimit:
+  enabled: true
+  login:
+    enabled: true
+    algorithm: token_bucket
+    capacity: 5
+    rate: 1
+    window: 1m
+  register:
+    enabled: true
+    algorithm: leaky_bucket
+    capacity: 3
+    rate: 1
+    window: 1h
+  api:
+    enabled: true
+    algorithm: sliding_window
+    capacity: 1000
+    window: 1m
+
+monitoring:
+  prometheus:
+    enabled: true
+    path: /metrics
+  tracing:
+    enabled: false
+    endpoint: http://localhost:4318
+    service_name: user-management-system
+
+logging:
+  level: info  # debug, info, warn, error
+  format: json  # json, text
+  output:
+    - stdout
+    - ./logs/app.log
+  rotation:
+    max_size: 100  # MB
+    max_age: 30    # days
+    max_backups: 10
+
+admin:
+  username: ""
+  password: ""
+  email: ""
+
+cors:
+  enabled: true
+  allowed_origins:
+    - "http://localhost:3000"
+    - "http://127.0.0.1:3000"
+  allowed_methods:
+    - GET
+    - POST
+    - PUT
+    - DELETE
+    - OPTIONS
+  allowed_headers:
+    - Authorization
+    - Content-Type
+    - X-Requested-With
+    - X-CSRF-Token
+  max_age: 3600
+
+email:
+  host: ""          # 鐢熶骇鐜濉啓鐪熷疄 SMTP Host
+  port: 18080
+  username: ""
+  password: ""
+  from_email: ""
+  from_name: "鐢ㄦ埛绠＄悊绯荤粺"
+
+sms:
+  enabled: false
+  provider: ""  # aliyun, tencent锛涚暀绌鸿〃绀虹鐢ㄧ煭淇¤兘鍔?  code_ttl: 5m
+  resend_cooldown: 1m
+  max_daily_limit: 10
+  aliyun:
+    access_key_id: ""
+    access_key_secret: ""
+    sign_name: ""
+    template_code: ""
+    endpoint: ""
+    region_id: "cn-hangzhou"
+    code_param_name: "code"
+  tencent:
+    secret_id: ""
+    secret_key: ""
+    app_id: ""
+    sign_name: ""
+    template_id: ""
+    region: "ap-guangzhou"
+    endpoint: ""
+
+password_reset:
+  token_ttl: 15m
+  site_url: "http://localhost:8080"
+
+# OAuth 绀句氦鐧诲綍閰嶇疆锛堢暀绌哄垯绂佺敤瀵瑰簲 Provider锛?
+oauth:
+  google:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/google/callback"
+  wechat:
+    app_id: ""
+    app_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/wechat/callback"
+  github:
+    client_id: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/github/callback"
+  qq:
+    app_id: ""
+    app_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/qq/callback"
+  alipay:
+    app_id: ""
+    private_key: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/alipay/callback"
+    sandbox: false
+  douyin:
+    client_key: ""
+    client_secret: ""
+    redirect_url: "http://localhost:8080/api/v1/auth/oauth/douyin/callback"
+
+# Webhook 鍏ㄥ眬閰嶇疆
+webhook:
+  enabled: true
+  secret_header: "X-Webhook-Signature"   # 绛惧悕 Header 鍚嶇О
+  timeout_sec: 30                         # 鍗曟鎶曢€掕秴鏃讹紙绉掞級
+  max_retries: 3                          # 鏈€澶ч噸璇曟鏁?
+  retry_backoff: "exponential"            # 閫€閬跨瓥鐣ワ細exponential / fixed
+  worker_count: 4                         # 鍚庡彴鎶曢€掑崗绋嬫暟
+  queue_size: 1000                        # 鎶曢€掗槦鍒楀ぇ灏?
+
+# IP 瀹夊叏閰嶇疆
+ip_security:
+  auto_block_enabled: true               # 鏄惁鍚敤鑷姩灏佺
+  auto_block_duration: 30m              # 鑷姩灏佺鏃堕暱
+  brute_force_threshold: 10             # 鏆村姏鐮磋В闃堝€硷紙绐楀彛鍐呭け璐ユ鏁帮級
+  detection_window: 15m                 # 妫€娴嬫椂闂寸獥鍙?
+
+
+

docs/evidence/ops/2026-03-27/backup-restore/20260327-182059/restored-snapshot.json

@@ -0,0 +1,40 @@
+{
+  "generated_at": "2026-03-27T18:21:02+08:00",
+  "path": "D:\\project\\docs\\evidence\\ops\\2026-03-27\\backup-restore\\20260327-182059\\user_management.restored.db",
+  "file_size": 208896,
+  "existing_tables": [
+    "devices",
+    "login_logs",
+    "operation_logs",
+    "password_histories",
+    "permissions",
+    "role_permissions",
+    "roles",
+    "sqlite_sequence",
+    "user_roles",
+    "user_social_accounts",
+    "users",
+    "webhook_deliveries",
+    "webhooks"
+  ],
+  "missing_tables": [
+    "social_accounts"
+  ],
+  "tables": {
+    "devices": 0,
+    "login_logs": 18,
+    "operation_logs": 50,
+    "password_histories": 0,
+    "permissions": 17,
+    "role_permissions": 20,
+    "roles": 2,
+    "user_roles": 1,
+    "users": 1,
+    "webhook_deliveries": 0,
+    "webhooks": 0
+  },
+  "sample_users": [
+    "e2e_admin"
+  ]
+}
+

docs/evidence/ops/2026-03-27/backup-restore/20260327-182059/source-snapshot.json

@@ -0,0 +1,40 @@
+{
+  "generated_at": "2026-03-27T18:21:01+08:00",
+  "path": "D:\\project\\data\\user_management.db",
+  "file_size": 208896,
+  "existing_tables": [
+    "devices",
+    "login_logs",
+    "operation_logs",
+    "password_histories",
+    "permissions",
+    "role_permissions",
+    "roles",
+    "sqlite_sequence",
+    "user_roles",
+    "user_social_accounts",
+    "users",
+    "webhook_deliveries",
+    "webhooks"
+  ],
+  "missing_tables": [
+    "social_accounts"
+  ],
+  "tables": {
+    "devices": 0,
+    "login_logs": 18,
+    "operation_logs": 50,
+    "password_histories": 0,
+    "permissions": 17,
+    "role_permissions": 20,
+    "roles": 2,
+    "user_roles": 1,
+    "users": 1,
+    "webhook_deliveries": 0,
+    "webhooks": 0
+  },
+  "sample_users": [
+    "e2e_admin"
+  ]
+}
+